The work outlined here is specifically focused on what could be done in a year with funding, though these goals should be considered as a larger roadmap for Whonix's development in general. This roadmap is focused on three goals:

make Whonix more sustainable by making it easier for the community to engage and contribute code

Whonix consists of roughly 25.000 lines of code. Mostly all in one git repository. To streamline the development Whonix's source code, it would be better if Whonix was split into multiple packages. That would make it simpler to grasp Whonix's architecture, make it simpler to contribute to Whonix, simpler to audit the critical parts of Whonix and simpler to port Whonix to other targets.

We should pay The Tor Project (if they are willing) or someone else to implement torrc.d-style configuration directories (open for 4 years already). This feature is required for more robust and simplified implementation of features such as easier set up for bridges (just dropping a config snippet rather than programmability editing /etc/tor/torrc) or features such as "sudo apt-get install wordpress-hidden-service".

Whonix's primary goal is security, without it nothing matters.
Patrick, can you expand the issues in this section and make them each focused, say 3 main security issues that should be dealt with over the next year

Whonix's firewall is the heart of Whonix's security, preventing leaks, routing everything over Tor. We've done Dev/Leak Tests, but an expert in iptables / networking should audit Whonix for leaks. This can be done by a one time project contractor position.

To avoid man-in-the-middle capable adversaries exploiting whonix.org visitors or advising them to do malicious things, on whole whonix.org https is enforced. As alternative authentication, Whonix's website is reachable by an .onion address, because those are encrypted end-to-end by default and an alternative to the CA cartel. Due to the nature of Whonix's project, Whonix's downloadable files are big. Neither Whonix nor most other Linux distributions are capable to ship their downloadable files over https. Hence, most files are downloaded for most projects are downloaded from unauthenticated http - an invitation for man-in-the-middle attacks.

To circumvent this, many projects such as Whonix provide cryptographic checksums (sha) and/or OpenPGP signatures. A past usability experiment on our Download page helped to increase the number of people who do OpenPGP verification from 1 in ~32 to 1 in ~10 used OpenPGP verification. (The full experiment is documented on the Dev/Download_Statistics page.) Too few users are doing it, even though the requreed steps are documented and the importance is highlighted. Probably due to time constraints and due to usability issues with the popular free OpenPGP implementation gnupg.

A solution to this dilemma is to build the verification mechanism directly into the browser. Metalink is the answer. Unfortunately, it has not been build into popular browsers yet. We have a long standing github issue for it. The Whonix team currently has no recourses to tackle this issue.

Mozilla has an open feature request since 2006 and it doesn't look like they will be working on it anytime soon. With funding we could finally tackle this issue and help out lots of other security focused projects as well. Ideas:

contact Mozilla and ask how much it would cost to buy this feature

contact the Mozilla community and ask if someone would up to implement this feature for a price

hire a capable programmer and pay her to implement this feature, to go through the proposal and review process as long as required until this feature gets merged into Firefox

If we had this feature, all downloads from untrusted mirrors would be at least as secure as https, because the verification has is supplied over https, while the bulk download is served over http.

Host operating systems such as Debian and Ubuntu have no way for secure and trust distributed network time synchronization, although that is crucial for security. (Debian bug confirmation; Ubuntu bug confirmation). Whonix already comes with a secure replacement as described on that Dev/TimeSync page. That mechanism should be split of Whonix's source code and be made a separate project available as a package (.deb), that users can download and install. Debian developers should then be encouraged to add that package to their offical repository, so it gets even simpler to install it (such as, as simple as sudo apt-get install sdwdate). If Debian developers are not interested, Whonix developers should attempt to become a Debian maintainer as well and maintain the package themselves in Debian. (From Debian, that package will flow down to other Debian-based distributions such as Ubuntu, Mint, etc.)

Currently, to use Whonix a user must get familiar with VirtualBox and Debian (KDE) to be able to use and configure Whonix. In order to allow those with less time/access to expert knowledge of Linux, who may be in areas where time and security are of the essence, usability issues must be a top priority.

Whonix needs an interaction designer to review and plan and implement an across the board standardization of the look and feel of Whonix in the system itself and online.

A general user interface review and revision of all user visible components. Streamlining installing of Whonix and running it. As well, looking at the systems once Whonix-Gateway or Whonix-Workstation boots, to make it simpler or more consistent of messages and what programs to run when. As well, this could go into the branding of Whonix and consistency in all of the documentation/website/software, so that it is clear that you are either visiting or using a Whonix page.

Not everyone that needs privacy or security can use Unix, not all applications are available on Unix. Whonix aims to support a Mac OS X or Windows virtual workstation that uses the Whonix Gateway to route all traffic through Tor. We need better instructions on how one can tunnel Mac OS X or Windows through Tor by using Whonix-Gateway.

We yet have to figure out how to use the translation extension and to prepare whonix.org's documentation for translation. We occasionally have offers to translate whonix.org, for example to French. Whonix developer Patrick Schleizer could translate whonix.org to German.

TBB uses the tor-launcher add-on, it looks good and makes it simpler to enter bridges. The upcoming version of tor-launcher even support pluggable transports. There is some work done creating a standalone xul application of tor-launcher. Tails devs are planing to use it. Whonix should use it as well. Some older screenshots of tor-launcher can be seen here: Dev/whonixsetup. (github ticket)

Current TBB beta comes with a list of hardcoded briges. Censors can easily obtain and ban them. Still, these hardcoded bridge relays work for a non-negligible share of users (otherwise TBB would not go this path). We could ship this list by default as well.

There are lots of other Censorship Circumvention Tools other than Tor bridges. We should check out all of them and document how to use them with Whonix. The todo list of tools that should be documented can be found here: Censorship Circumvention Tools. (github ticket)

This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.